tom/darkly
1
0
Fork 0
mirror of https://github.com/tmoron/darkly.git synced 2025-09-27 12:48:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

add readme for content-type bypass and input validation

Browse Source
This commit is contained in:
tomoron
2025-04-08 17:22:49 +02:00
parent 30b2ba0738
commit adea3bb76a
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
input_validation/README.md Normal file
View File

@ -0,0 +1,19 @@
# Client side validation bypass
## How We Found It
On the home page, there is a link to a survey page. this page has a list of subject, an average score and a number of vote. We can give a grade between 0 and 10.
But what if we change in the html page, the value of a score and put something bigger than 10, can we put a grade of 1000 ?
Yes we can, and we get a flag.
## Utility of It
This allows an attacker to:
- Submit invalid or malicious data (e.g., score > 10).
- Manipulate application logic (e.g., gain unfair advantage or retrieve flags).
- Potentially exploit further vulnerabilities if the data is used insecurely elsewhere (e.g., SQL injection, XSS).
## How Can We Patch It
- Validate all input on the server side regardless of client-side checks.
- Enforce boundaries (e.g., score must be between 0 and 10) on the backend.
- Use a schema validation library or built-in mechanisms to reject bad data.
- Never trust client-side data blindly — browsers can be manipulated.